Cyber threatens M&A deals

Mergers & Acquisitions (M&A) process often overlooks the significance of the cybersecurity risks. One of the key risks is that cyber-attacks have taken place without the target’s awareness and without the acquirer’s knowledge.

There are number of recent examples where cyber threats impacted M&A and broader investment decisions:

  • Yahoo! disclosed two major data breaches of user account data to hackers during the second half of 2016. The breaches have impacted Verizon Communications’s July 2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a decrease of $350 million in the final price on the deal closed in June 2017.
  • Marriott revealed data breach of nearly 500 million Starwood guests. Starwood guest reservation system was hacked in 2014—two years before Marriott purchased Starwood network. According to Bloomberg, Marriott International’s $13.6 billion purchase of Starwood Hotel & Resorts was based on rational that SPG loyalty program would bring more travelers to the Marriott chain.
  • Back in 2017, information about 17m users of the Zomato (food-tech company popular for food ordering in the Middle East) was stolen and attempted to be sold in darknet for the price set at c.1k USD.
  • And now, in early 2020, Travelex (partially owned by UAE-based businessman) being held ransom, cyber attack forced the remittance organization to turn off all computer systems. Within just one month of development (between 10 December 2019 and 10 January 2020) stock price of the parent (Finablr PLC) has dropped by c.40%.

As you may see cyber-attacks may result in severe reputational damage, legal penalties, loss of opportunity and negatively impact valuation. Cyber attackers often look for confidential information (about clients), executives’ emails, intellectual property (including R&D data) and other sensitive information such as deal information.

Out of 2,700 information technology and business decision makers surveyed by Forescout Technologies 53% reported that their organization had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy.

According to the IBM report, average cost of data breach in 2019 is estimated at USD 3.92 million. Some of the top-rated cyber threats to look in 2020 are:

  • Phishing attacks (more often fueled by Artificial Intelligence for spearphishing effect. Such attacks convincingly mimice the truth in attempt to circumvent the target)
  • Ransomware (i.e. WannaCry, Petya and modifications)
  • Malicious insider (attacks facilitated by staff still represent the majority of the cyber-attacks; in some notable cases insiders are motivated by job security or retaliation)
  • Data loss/leak from cloud storage (often observed at the time of migration activities, when relaxed security policies are left unnoticed post cutover)

M&A process often does not allow enough time to assess the state of the cyber security of the target. However, professional service firms take Cyber security due diligence to the whole new level and focus on some of the key areas, such as:

  • Information security/Cyber operations
  • IS/Cyber governance
  • Third-party/vendor risks
  • Technology platform and hosting
  • Data/Information asset value

Though comprehensive cyber due diligence is required there are things one can do at the early stage of M&A strategy. For example during the process of shortlisting potential acquisition targets. One of the simplest things I can recommend is to check if the target organization is already compromised. Try looking-up if target accounts information in publicly available data breach collections. One of which is the